Protection Level Assignments for a Context Template

Federation Guides › Partnership Federation Guide › Authentication Context Processing (SAML 2.0) › Configure an Authentication Context Template › Protection Level Assignments for a Context Template

Protection Level Assignments for a Context Template

A federation deployment that uses the SiteMinder Connector for delegated authentication requires that you associate protection levels with each authentication URI. The protection level indicates a level of assurance in the strength of the authentication. Each protection level is mapped to a URI strength level. Ensure that the protection level assignments reflect the protection levels of the CA SiteMinder® authentication scheme.

Note: In a deployment with the SiteMinder Connector, the protection level overrides the level specified in the connector authentication scheme.

When you assign protection levels in the Administrative UI, specify a range. Specify the maximum level for each URI in the list. The minimum protection level is automatically calculated based on the maximum level for the subsequent URI in the list. The range has to cover the configured CA SiteMinder® authentication schemes. For example, if CA SiteMinder® configures an X.509 authentication scheme at a protection level of 20, ensure that the range specified for CA SiteMinder® Federation includes 20.

Protection Level Example

SiteMinder Authentication Scheme	Protection Level
urn:oasis:names:tc:SAML:2.0:ac:classes:X509	20
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract	15
urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol	10
urn:oasis:names:tc:SAML:2.0:ac:classes:Password	5

Each protection level is mapped to a URI strength level. The table shows the original list of URIs:

URI	Protection Level Max	URI Strength
urn:oasis:names:tc:SAML:2.0:ac:classes:X509	1000	4
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract	15	3
urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol	10	2
urn:oasis:names:tc:SAML:2.0:ac:classes:Password	5	1

The ranges cover the protection level of the CA SiteMinder® authentication scheme. For example:

X509 scheme covers protection levels 16-1000
MobileTwoFactorContract covers protection levels 11-15
Internet Protocol covers 6-10
Password covers 1-5

If you group several of the URIs, the grouping enables URIs with different protection levels to have the same URI strength. The following modified table shows the groupings.

URI	Protection Level Max

urn:oasis:names:tc:SAML:2.0:ac:classes:X509	1000	3
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract	800	3
urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol	700	2
urn:oasis:names:tc:SAML:2.0:ac:classes:Password	200	1

The range of strength levels reflects the total number of groups in the list. For example, if there are three groups, the strength level ranges from 1 to the total number groups, which is 3.